When the Trojan is executed, it may drop the following file:
%UserProfile%\Aplication Data\[8 HEXADECIMAL DIGITS].dll
The Trojan then creates the following registry entries so that it runs every time Windows starts:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[8 HEXADECIMAL DIGITS]" = "rundll32.exe \%SystemDrive%\Documents and Settings\All Users\[8_hex_digits].dll\"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[8 HEXADECIMAL DIGITS]" = "rundll32.exe "%SystemDrive%\Documents and Settings\All Users\Application Data\[8 HEXADECIMAL DIGITS].dll",Launch"
Next, the Trojan gathers the following information from the compromised computer:
- Volume information
- Operating system version
- User name
- Disk space
The Trojan then encodes the stolen information and sends it to the following remote location:
The Trojan then opens a back door on the compromised computer, allowing an attacker to perform malicious activities on the compromised computer.
Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":